Tips and Tricks: Filtering the Security Policy

Digging into the depths of policy details can be quite the task, especially after a long and tiring day. But fear not, handy search tools are here to lighten your load!

Here's how it works: Simply pop in a keyword related to what you're hunting for. This could be the name of a policy (just squish it into one word), an IP address or object name, maybe an application, or even a service.

Keep in mind though, wildcards (like *) aren't supported. You'll need a partial or an exact match.

Add a partial IP address and you'll get all the partial and exact matches in the result:

Want to narrow things down even further? You can target your search to specific fields like the source zone or application. And guess what? There’s a super handy drop-down function that sets up your search filter in a snap. Easy-peasy!

You can also create a search string manually. I've provided a list of all fields below:

Name: (name contains 'unlocate-block')

Tags: (tag/member eq 'tagname')

Type: (rule-type eq 'intrazone|interzone')

Source Zone: (from/member eq 'zonename')

Source Address: (source/member eq 'any|ip|object')

Source User: (source-user/member eq 'any|username|groupname')

Hip profile:  (hip-profiles/member eq 'any|profilename')

Destination Zone: (to/member eq 'zonename')

Destination Address: (destination/member eq 'any|ip|object')

Destination User: (destination-user/member eq 'any|username|groupname')

Application: (application/member eq 'any|applicationname|applicationgroup|applicationfilter')

Service: (service/member eq 'any|servicename|application-default')

URL Category: (category/member eq 'any|categoryname')

           This is a destination category, not a URL filtering security profile

Action: (action eq 'allow|drop|deny|reset-client|reset-server|reset-both')

Action send ICMP unreachable: (icmp-unreachable eq 'yes')

Security Profiles:

      (profile-setting/profiles/virus/member eq 'profilename')

      (profile-setting/profiles/spyware/member eq 'profilename')

      (profile-setting/profiles/vulnerability/member eq 'profilename')

      (profile-setting/profiles/url-filtering/member eq 'profilename')

      (profile-setting/profiles/file-blocking/member eq 'profilename')

      (profile-setting/profiles/wildfire-analysis/member eq 'profilegroupname')

      (profile-setting/group/member eq 'profilename')

Disable server response inspection: (option/disable-server-response-inspection eq 'yes')

Log at session start: (log-start eq 'yes|no')

Log at session end: (log-end eq 'yes|no')

Schedule: (schedule eq 'schedulename')

Log Forwarding:  (log-setting eq "forwardingprofilename')

Qos Marking:    (qos/marking/ip-dscp eq 'codepoint')

                            (qos/marking/ip-precedence eq 'codepoint')

                            (qos/marking/follow-c2s-flow eq '')

Description: (description contains '<keyword>')

Disabled policy: (disabled eq yes|no)  

           policies will only respond to 'no' if they have been disabled before

As you can see in the examples above the operands are 'contains' and 'eq' (=equals).

Note that you can also use the negate option using the operand 'neq' (=not equals).

For example, here's how you can use the negate option to list all the rules that do NOT have a ALLOW action: (action neq 'allow'):

Tag Browser can also come in very handy if you're able to tag all your security policies. It can be used in a similar way as the search function and display only the selected tags.

More information and a tutorial video on the Tag Browser can be found here: Tutorial: Tag Browser

Hope this was helpful, feel free to ask questions or post remarks below.

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

Stay Secure,
Kiwi out!